>>>> Are you thinking of dumping the blacklst and blackout chains in the >>>> INPUT, OUTPUT and FORWARD chains, filtering out just the interface? >>>> >>>> >>> No: I'm merely suggesting that the first column could be of the form >>> <interface>:<network list>. The <interface> would be the source >>> interface in 'src' entries and the destination interface in 'dst' >>> entries. >>> >>> >> Where are you going to place these statements - in the same >> blacklst/blackout chains shared among all zones or somewhere else? If >> so, where? >> > Same chains as today. > So, if I place 50 blacklist entries for tun0 and 1 for eth0, then in order to get a packet through eth0 it has to traverse through 51 entries in that same chain? "Square pegs in round holes" comes to mind... Thanks, but no thanks!
I'd rather have a separate chain for each interface - that way a given packet will traverse through less entries, much more efficient and less time-consuming. ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2 _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
